Showing results for 
Search instead for 
Did you mean: 

Who rated this post

Hey @securehops ,

Document explain that you can have different GWLBe for Outbound and East-West traffic, for the same reason - more control over the rules and easier to create different rules for outbound and east-west. But this is only to differenciated between outbound and east-west (any east-west).


They key element is that both (outbound and east-west) are stil intra-zone traffic, once the firewall receive packet from one of the GWLBe it will return it back to the exact same GWLBe it came from. But in this case both VPC are associated with same East-West GWLBe, which means the rule for traffic between the two VPC will still be intra-zone traffic with source and destination the east-west zone (associated with east-west GWLBe).


Lets breakdown the architecture from the document:

- The decision which GWLBe to be used is dictated by the routing table of the TGW attachment in the security hub vpc. Based on the destination IP address traffic will be routed to one of the GWLBe, let say VPC-Prod GWLBe (if we use your idea).

- Once the traffic is forwarded to that specific GWLBe it encapsulate the packet with GENEVE protocol and send it to the firewall. There FW will decapsulate it and use that information to map the traffic with given zone. Let say it will use zone "VPC-Prod" for source zone

- Because traffic is received by GENEVE protocol FW will not perform route lookup to determine the destination zone, but instead will automatically use the source zone for destination as well. After it inspect the packet it will encapsulate it again and return it to the exact same GWLBe in this case VPC-Prod

- Once the GWLBe "VPC-Prod" receive the traffic back it will remove the GENEVE again and use its own routing tabel to further forward the traffic. 

- Traffic will be forwarded to TGW and more specifically the TGW route table associated with the attachment in security hub vpc. From there it should be clear how the traffic will reach the target.


Let say the traffic have reached the destination and it has generated reply

- This reply will be forwarded to TGW and using the TGW route table will be forwarded to that attachment in the security hub vpc

- There it again will look the routing table to decide which GWLBe to use. And if you decide to point it to different endpoint, let say VPC-Shared, as you can imagine this will be forwarded to the firewall under different source zone, which will not match the session created by the original request and it will treat it as new session.

- But even if somehow the firewall to allow this traffic (if it is TCP will drop it, but probably ICMP and UDP may still pass through as those are stateless protocols), this traffic will still be treated as intra-zone traffic and destination zone will be the same as the source.


I hope this make it more clear...

You can separate East-West from Outbound traffic, following the design from the link, but you still need to create intra-zone rules for allowing this traffic. And in addition it is hard for me to imagine a way you can further separate east-west traffic based on the VPCs. All VPCs (and vpn to on-prem) needs to be routed/associated with the same GWLBe in order to have symmetric routing.



Who rated this post